简介
由于没找到佐罗官网,这里从贴吧找了一段:
1、 支持多语言
2、 手机型号:支持 5 到 iPhone XS Max,并且提供不同地区版本的机型选择,如美版、日版、国行
3、 系统版本:支持 8.0~12.2
4、 运营商:常见国家和地区运营商,新版本会不断增加,有需求的可以反馈
5、 网络类型:2G、3G、4G、WiFi
6、 反越狱检测:跳过 APP 的越狱检测
7、 网络模拟:包含网络状态和运营商相关信息
8、 定位模拟:模拟定位,根据当前 IP 所在城市进行经纬度模拟
9、 屏幕模拟:此项一般情况不建议开启。小屏幕模拟为大屏幕时,可能因 APP开发方式问题,会发生显示不全的现象,在 Plus 手机上模拟小屏幕可以得到较好的结果
10、 模拟高版本防闪退:此项一般情况不建议开启。此功能主要用于游戏,当某款游戏在低版本手机上模拟为高版本发生闪退时,可尝试选中此项看看能否得到解决。(应用类 APP 勾选此项成功率不高)
11、 硬件信息全面模拟
12、 电量、音量、信号强度仿真:电量自动仿真,会自动模拟掉电,隐藏充电状态等
13、 系统启动时间跟随:会依每一次新机随时系统启动时间
14、 APP 安装时间跟随
15、 境外 IP 辅助经纬度定位:使用收费接口根据 IP 随机设置所在城市经纬度,支持境外 IP 的解析,不勾选此项,将使用免费接口解析,只能解析中国大陆的 IP 定位。
16、HTTP API调试
源:
apt.zorrovip.com
分析
文件系统
/Applications/zorro.app/zorro 用户UI
/Applications/zorro.app/setting.dat 伪装到/usr/libexec/cydiabash,为后台daemon进程
/usr/bin/zorrodaemon 为后台daemon进程
/Library/MobileSubstrate/DynamicLibraries/zorro.dylib 实际改机模块
/private/var/mobile/Library/Preferences/com.zorro.adv.plist 新机参数
/private/var/mobile/Library/Preferences/com.zorro_enc.plist 新机参数
保护方式
- 简单的反调试+SVC(exit)
- 防抓包([NSURLSessionConfiguration setConnectionProxyDictionary:])
- Hikari全功能混淆
- 通信数据使用RSA加密json:
一键新机过程
/usr/bin/zorrodo cp -f /private/var/mobile/Library/Preferences/com.zorro_enc.plist /var/mobile/Media/ZORRO/20200502-20-31-24_enc.igri
/usr/bin/zorrodo mkdir /var/mobile/Media/ZORRO/20200502-20-31-24
/usr/bin/zorrodo /bin/cp -fp /var/mobile/Media/ZORRO/20200502-20-31-24_enc.igri /var/mobile/Media/ZORRO/20200502-20-31-24/record_enc.plist
/usr/bin/zorrodo /usr/bin/killall -9 MobileSafari
/usr/bin/zorrodo /usr/bin/killall -9 test223
/usr/bin/zorrodo /usr/bin/killall -9 MobileSafari
/usr/bin/zorrodo launchctl unload -w /System/Library/LaunchDaemons/com.apple.cfprefsd.xpc.daemon.plist
/usr/bin/zorrodo launchctl load -w /System/Library/LaunchDaemons/com.apple.cfprefsd.xpc.daemon.plist
/usr/bin/zorrodo mkdir /var/mobile/Media/ZORRO/20200502-20-31-24/Keychains
/usr/bin/zorrodo /bin/cp -fp /var/Keychains/keychain-2.db /var/mobile/Media/ZORRO/20200502-20-31-24/Keychains/keychain-2.db
/usr/bin/zorrodo /bin/cp -fp /var/Keychains/keychain-2.db-shm /var/mobile/Media/ZORRO/20200502-20-31-24/Keychains/keychain-2.db-shm
/usr/bin/zorrodo /bin/cp -fp /var/Keychains/keychain-2.db-wal /var/mobile/Media/ZORRO/20200502-20-31-24/Keychains/keychain-2.db-wal
/usr/bin/zorrodo cleanKeychains
/usr/bin/zorrodo /bin/cp -RTfp /var/mobile/Library/Caches/com.apple.Pasteboard /var/mobile/Media/ZORRO/20200502-20-31-24/com.apple.Pasteboard
sh -c rm -Rf /var/mobile/Library/Caches/com.apple.Pasteboard/*
sh -c rm -Rf /var/mobile/Library/Caches/com.apple.Pasteboard/*
sh -c rm -Rf /var/mobile/Library/Caches/com.apple.mobilesafari/*
sh -c rm -Rf /var/mobile/Library/Caches/Safari/*
sh -c rm -Rf /var/mobile/Library/WebKit/*
sh -c rm -Rf /var/mobile/Library/Safari/*
/usr/bin/zorrodo /bin/rm -rf /var/mobile/Library/Cookies/Cookies.binarycookies
/usr/bin/zorrodo /bin/rm -rf /private/var/root/Library/Cookies/Cookies.binarycookies
/usr/bin/zorrodo /bin/rm -rf /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/CloudKit
/usr/bin/zorrodo /bin/rm -rf /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/Documents
/usr/bin/zorrodo /bin/rm -rf /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/Library
/usr/bin/zorrodo /bin/rm -rf /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/tmp
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/Documents
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/Library/Preferences
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/Library/Caches
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/35797810-4509-4D40-9CA0-2D9895BD8293/tmp
/usr/bin/zorrodo /bin/rm -rf /private/var/mobile/Containers/Data/Application/4C3E7DAE-EF81-43CF-BD94-E956605C6330/Documents
/usr/bin/zorrodo /bin/rm -rf /private/var/mobile/Containers/Data/Application/4C3E7DAE-EF81-43CF-BD94-E956605C6330/Library
/usr/bin/zorrodo /bin/rm -rf /private/var/mobile/Containers/Data/Application/4C3E7DAE-EF81-43CF-BD94-E956605C6330/tmp
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/4C3E7DAE-EF81-43CF-BD94-E956605C6330/Documents
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/4C3E7DAE-EF81-43CF-BD94-E956605C6330/Library/Preferences
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/4C3E7DAE-EF81-43CF-BD94-E956605C6330/Library/Caches
/usr/bin/zorrodo mkdir /private/var/mobile/Containers/Data/Application/4C3E7DAE-EF81-43CF-BD94-E956605C6330/tmp
/usr/bin/zorrodo cleanKeychains
/usr/bin/zorrodo /bin/chown mobile:mobile /private/var/mobile/Library/Preferences/com.zorro_enc.plist
/usr/bin/zorrodo /bin/mv /var/mobile/Documents/ls.igri /var/mobile/Media/ZORRO/20200502-20-35-14_enc.igri
/usr/bin/zorrodo /bin/cp -f /var/mobile/Media/ZORRO/20200502-20-35-14_enc.igri /private/var/mobile/Library/Preferences/com.zorro_enc.plist
修改参数:
fork/dladdr/dyld_get_image_name/getenv/fopen/__opendir2/stat/lstat/access 屏蔽越狱检测
NSFileManager/NSString/UIApplication/NSArray/WXOMTAHelper 屏蔽越狱检测
UIScreen 修改分辨率
sysctl 修改设备名,设备型号,iOS版本,启动时间,CPU核心数等
sysctlbyname 修改设备名,设备型号,iOS版本,启动时间,CPU核心数等
uname 修改设备名,设备型号,iOS版本等
UIDevice 修改设备型号,iOS版本,设备名,IDFV, 电池信息
ASIdentifierManager 修改IDFA
LSApplicationWorkspace/LSApplicationProxy 修改IDFA/IDFV
UIApplication 修改apns
NSProcessInfo 修改设备名,iOS版本,环境变量,cpu核心数
MFMessageComposeViewController 修改系统发短信配置
AVAudioSession 修改音量
IORegistryEntrySearchCFProperty 设备名,设备串号,IMEI,蓝牙地址,区域码,芯片码,MAC地址等
IORegistryEntryCreateCFProperty 设备名,设备串号,IMEI,蓝牙地址,区域码,芯片码,MAC地址等
IORegistryEntryCreateCFProperties 设备名,设备串号,IMEI,蓝牙地址,区域码,芯片码,MAC地址等
_CTServerConnectionCopyMobileIdentity 设备名,设备串号,IMEI,蓝牙地址,区域码,芯片码,MAC地址等
_CTServerConnectionCopyMobileEquipmentInfo设备名,设备串号,IMEI,蓝牙地址,区域码,芯片码,MAC地址等
MGCopyAnswer 设备名,设备串号,IMEI,蓝牙地址,区域码,芯片码,MAC地址等
SCNetworkReachabilityGetFlags 修改网络类型,WIFI/2G/3G/4G
CNCopySupportedInterfaces 修改WIFI名和BSSID
CNCopyCurrentNetworkInfo 修改WIFI名和BSSID
getifaddrs 修改内网IPv4/IPv6/MAC地址
SCNetworkReachabilityGetFlags 修改网络信息
NSFileManager/NSProcessInfo 修改存储容量,内存大小
SCNetworkInterfaceGetInterfaceType/kSCNetworkInterfaceTypeIEEE80211/SCNetworkInterfaceGetBSDName
修改网卡信息
CTCarrier 修改运营商信息,包括运营商名,MCC,MNC,ICC,TECH,VOIP
CTTelephonyNetworkInfo 修改运营商信息,包括运营商名,MCC,MNC,ICC,TECH,VOIP
CLLocation/CLLocationManager 修改定位参数
配置文件
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AdvertisingIdentifier</key>
<string>...........</string>
<key>BluetoothAddress</key>
<string>.............</string>
<key>Build</key>
<string>31000</string>
<key>Carrier</key>
<array>
<string>13</string>
</array>
<key>CarrierName</key>
<string>遠傳電信</string>
<key>CarrierVersionString</key>
<real>14</real>
<key>CountryCode</key>
<string>466</string>
<key>CpuCount</key>
<integer>2</integer>
<key>CurrentMobileId</key>
<string></string>
<key>CurrentSubscriberId</key>
<string></string>
<key>DeviceBatteryLeave</key>
<real>0.56000000000000005</real>
<key>DeviceBatteryState</key>
<integer>1</integer>
<key>DeviceBoottime</key>
<string>1499429965</string>
<key>DeviceCategory</key>
<string>iPhone</string>
<key>DeviceFreeSize</key>
<integer>10781809186</integer>
<key>DeviceName</key>
<string>iPhone</string>
<key>DeviceToken</key>
<string>...............</string>
<key>DeviceTotalSize</key>
<integer>30808743955</integer>
<key>Enabled</key>
<true/>
<key>EthernetBSSID</key>
<string>............</string>
<key>EthernetIPv4Address</key>
<string>192.168.123.43</string>
<key>EthernetIPv6Address</key>
<string>.....................</string>
<key>EthernetMacAddress</key>
<string>cf:d0:6d:dc:9e:34</string>
<key>EthernetRSSID</key>
<string></string>
<key>EthernetSSID</key>
<string>TP-Link_35FA58</string>
<key>GeoRadius</key>
<real>10</real>
<key>Heading</key>
<real>63.170999999999999</real>
<key>ICCID</key>
<string>...............</string>
<key>IMSI</key>
<string>...................</string>
<key>ISOCountryCode</key>
<string>tw</string>
<key>IdentifierForVendor</key>
<string>......................</string>
<key>InternationalMobileEquipmentIdentity</key>
<string>330563646423620</string>
<key>InverseDeviceID</key>
<string>...................</string>
<key>KernVersion</key>
<string>Darwin Kernel Version 18.7.0: Mon Aug 19 22:24:08 PDT 2019; root:xnu-4903.272.1~1/RELEASE_ARM64_S8000</string>
<key>LicenseAccepted</key>
<true/>
<key>MEID</key>
<string>..............</string>
<key>MLBSerialNumber</key>
<string>..............</string>
<key>NetType</key>
<array>
<string>5</string>
</array>
<key>NetworkCode</key>
<string>01</string>
<key>NetworkInterfaces</key>
<dict/>
<key>NetworkType</key>
<integer>5</integer>
<key>OSRelease</key>
<string>18.7.0</string>
<key>OSVersions</key>
<array>
<string>13.3.1</string>
</array>
<key>OpenUDIDValue</key>
<string>.......................</string>
<key>Phones</key>
<array>
<string>iPhone8,4</string>
</array>
<key>PhysicalMemory</key>
<integer>1919350728</integer>
<key>ProductHWModel</key>
<string>N69AP</string>
<key>ProductModel</key>
<string>MP9E2</string>
<key>ProductType</key>
<string>iPhone8,4</string>
<key>RegionCode</key>
<string>TW</string>
<key>RegionInfo</key>
<string>TW/A</string>
<key>ReplaceApplicationIdentifierList</key>
<array>
<string>kjc.loader</string>
<string>com.saurik.Cydia</string>
<string>com.643d.08cab7</string>
<string>zorro</string>
</array>
<key>ReplaceIOKitProperties</key>
<dict/>
<key>ReplaceMGCopyAnswer</key>
<dict/>
<key>SafariBuild</key>
<string>15E148</string>
<key>SafariCv</key>
<string>605.1.15</string>
<key>SafariMv</key>
<string>604.1</string>
<key>ScreenBrightness</key>
<real>0.5853419303894043</real>
<key>ScreenType</key>
<dict>
<key>height</key>
<integer>1334</integer>
<key>scale</key>
<integer>2</integer>
<key>width</key>
<integer>750</integer>
</dict>
<key>SerialNumber</key>
<string>............</string>
<key>ServiceString</key>
<string>遠傳電信</string>
<key>SwitchAutoBackup</key>
<true/>
<key>SwitchFakeAppInstall</key>
<true/>
<key>SwitchFakeCarrierInfo</key>
<true/>
<key>SwitchFakeDeviceAdv</key>
<true/>
<key>SwitchFakeDeviceStartup</key>
<true/>
<key>SwitchFakeHigh</key>
<false/>
<key>SwitchFakeJailbreak</key>
<true/>
<key>SwitchFakeLocation</key>
<true/>
<key>SwitchFakeNetworkInfo</key>
<true/>
<key>SwitchFakeSafari</key>
<true/>
<key>SwitchFakeScreen</key>
<false/>
<key>SwitchFakeSignal</key>
<true/>
<key>SwitchFakeVPN</key>
<true/>
<key>SwitchLocationAutoAdjust</key>
<true/>
<key>SwitchLocationByIP</key>
<true/>
<key>SwitchSmartAirplane</key>
<false/>
<key>SystemBuildVersion</key>
<string>17D50</string>
<key>SystemName</key>
<string>iPhone OS</string>
<key>SystemUpdatetime</key>
<integer>75441</integer>
<key>SystemVersion</key>
<string>13.3.1</string>
<key>UniqueChipID</key>
<string>31856195358517356</string>
<key>UniqueDeviceID</key>
<string>..........</string>
<key>UniqueIdentifier</key>
<string>.............</string>
<key>Volume</key>
<real>0.875</real>
<key>ZorroKey</key>
<string>1500000000</string>
<key>appLanguage</key>
<string>zh-Hant</string>
<key>applist</key>
<array>
<string>com.test</string>
</array>
<key>excludeapplist</key>
<array>
<string>com.test</string>
</array>
<key>iOSVer</key>
<string>12.400000</string>
<key>zorropath</key>
<string>20170714-10-40-00</string>
</dict>
</plist>
总结
存在的缺陷
- 数据不匹配
如sysctlbyname/sysctl/uname/NSProcess对同一参数获取的结果不同,包括如下字段:
kern.version hw.model hw.ncpu
kern.boottime(由于作者使用strcpy拷贝整形值,导致其值没有清高32位,导致该时间到2100以后)
总体来说zorro修改的参数较其他软件全,且针对剪贴板有备份恢复功能,应该是公开的同类软件软件中质量最高的一款App。本文只做技术研究,切勿用作商业用途和非法目的。